How to Set Up Firewall with Firewalld on CentOS 8

A firewall is a way to protect your system from unwanted traffic from outside networks. Free and commercial firewall tools are plentiful; some of them include Iptables, UFW, Juniper, pfSense, SonicWall, and more.

Among them, FirewallD is a free firewall software tool for CentOS/RHEL/Fedora operating system. It is a frontend controller for iptables and provides a command-line interface to implement firewall rules. Compared to Iptables, FirewallD uses zones and services instead of chains and rules and manages rulesets dynamically. FirewallD provides the firewall-cmd command line tool to manage runtime and permanent configuration.

Step 1: Install Firewalld

By default, FirewallD comes pre-installed in the CentOS operating system. If not installed, you can install it by running the following command:

dnf install firewalld -y

Once installed, start the FirewallD service and enable it to start at system reboot with the following command:

systemctl start firewalld
systemctl enable firewalld

You can also verify FirewallD’s status using the following command:

firewall-cmd --state

Output:

running

Step 2: Basic FirewallD Usage

FirewallD manages a set of rules using zones. Each zone has its own configuration to accept or deny packets depending on the level of trust you have in the networks your computer is connected to.

You can list all available zones using the following command:

firewall-cmd --get-zones

You should see the following list:

block dmz drop external home internal public trusted work

To get a list of all active zones, run the following command:

firewall-cmd --get-active-zones

You should see the following list:

public
interfaces: eth0 eth1

You can list the default zone set for network connections using the following command:

firewall-cmd --get-default-zone

Output:

public

To change the default zone from public to home using the following command:

firewall-cmd --set-default-zone=home --permanent

To display more information about any zone using the following command:

firewall-cmd --info-zone public

You should get the following output:

public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

You can also list all available services by running the following command:

firewall-cmd --get-services

You should get the following output:

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Step 3: Allow and Deny Ports with Firewalld

Firewalld provides firewall-cmd command line tool to add and remove ports in your system.

For example, to allow TCP port 80 and 22 in the public zone, run the following command:

firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=22/tcp

Next, reload the FirewallD daemon to save the configuration:

firewall-cmd --reload

Now, list the added port with the following command:

firewall-cmd --info-zone public

You should see the following output:

public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client ssh
ports: 80/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

You can also deny or remove the port from the zone easily using the option –remove-port.

For example, to deny or remove the port 80 from the public zone, run the following command:

firewall-cmd --zone=public --permanent --remove-port=80/tcp

Step 4: Allow and Deny Services with FirewallD

You can also allow and deny by service name instead of using a port with the FirewallD.

For example, allow FTP service in the public zone by running the following command:

firewall-cmd --zone=public --permanent --add-service=ftp
firewall-cmd --reload

You can deny or remove the FTP service from the public zone using the following command:

:

firewall-cmd --zone=public --permanent --remove-service=ftp
firewall-cmd --reload

Step 5: Setup IP Masquerading with FirewallD

IP masquerading is a process or method that allows your computers in a network with private IP addresses to communicate with the Internet using your server’s address. It is very useful when you want another computer to communicate to the Internet without buying additional IPs from your ISP.

Before setting up IP masquerading, check if masquerading is active or not with the following command:

firewall-cmd --zone=public --query-masquerade

You should see that IP masquerading is disabled in the public zone as shown below:

no

Now, set the IP masquerading using the following command:

firewall-cmd --zone=public --add-masquerade
firewall-cmd --reload

You can also disable the IP masquerading using the option –remove-masquerade:

firewall-cmd --zone=public --remove-masquerade
firewall-cmd --reload

Conclusion

In the above guide, you learned how to use FirewallD to block unwanted traffic in your system. You should now be able to limit all unnecessary connections and protect your server from attackers. Try FirewallD on an Atlantic.Net VPS!